Assessing risk for the December 2013 security updates

Today we released eleven security bulletins addressing 24 CVE’s. Five bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Address five remote code execution and two elevation of privilege vulnerabilities. The elevation of privilege vulnerabilities could be used by an attacker to elevate out of Internet Explorer’s Protected Mode after already achieving code execution within that environment.

Attacker sends email with malicious attachment and lures victim to view the attachment as a webpage within Outlook Web Access. The attacker could potentially compromise the server-side process generating the web page.

Attacker combines this vulnerability with a (separate) code execution vulnerability to compromise a system.

Important

n/a

This issue has been leveraged as an exploit component in several real-world browser-based attacks.

This vulnerability does not result in code execution directly. However, it is a component attackers use to bypass ASLR. Applying this security update will disrupt a number of in-the-wild exploits even in cases where an update is not applied for a code execution vulnerability.

Attacker sends victim a link to malicious server. If victim clicks the link, browser makes a request to Microsoft’s Office 365 server on behalf of the victim in such a way that a user token is captured by the malicious server, allowing owner of the malicious server to log in to SharePoint Online the same way the victim user would have been able to log in.

Important

n/a

This issue was reported to us by Adallom after they detected targeted attacks leveraging this vulnerability.

Attacker sends victim a link exploiting a Cross-Site Scripting (XSS) vulnerability on an Intranet Visual Studio Team Foundation Server (TFS) for which they have access rights. If the victim clicks the link, an automatic action is taken on their behalf on the TFS server that they otherwise might not have wanted to execute.